How to add singer certificate in Liberty

In my application running on Liberty, we need to communicate with another application running on a remote server (TWAS) through REST services. I've enabled SSL connection in Liberty, but when sending request to the remote server via SSL, it will encounter error like below: [err] javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=sample.ibm.com, OU=Root Certificate, OU=localhost, OU=localhost, O=IBM, C=US is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error [err] at com.ibm.jsse2.j.a(j.java:24) [err] at com.ibm.jsse2.qc.a(qc.java:258) [err] at com.ibm.jsse2.ab.a(ab.java:91) [err] at com.ibm.jsse2.ab.a(ab.java:187) [err] at com.ibm.jsse2.bb.a(bb.java:583) [err] at com.ibm.jsse2.bb.a(bb.java:391) [err] at com.ibm.jsse2.ab.r(ab.java:528) [err] at com.ibm.jsse2.ab.a(ab.java:39) [err] at com.ibm.jsse2.qc.a(qc.java:758) [err] at com.ibm.jsse2.qc.h(qc.java:266) [err] at com.ibm.jsse2.qc.a(qc.java:770) [err] at com.ibm.jsse2.qc.startHandshake(qc.java:476) [err] at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:48) [err] at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:47) [err] at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1312) [err] at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:479) [err] at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:49)

I can work around this issue with following steps: 1. Suppose the remote server is running on machine A, and I have another machine B that runs another TWAS. 2. Logon the WAS admin console on machine B, navigate to “Security” -> “SSL certificate and key management” -> “Key stores and certificates” 3. Click on “New” to create a new JKS keystore 4. Open the keystore just created and click on the “Singer certificates” 5. Click on “Retrieve from port”, and in the form input the host and port of the TWAS on machine A, and then click on “Retrieve singer information”, and then “Apply”. 6. Copy and paste the keystore file to the liberty profile. 7. Update SSL configuration in server.xml, for example: <ssldefault sslref="defaultSSLSettings"/> <ssl id="defaultSSLSettings" keystoreref="defaultKeyStore" truststoreref="defaultTrustStore" clientauthenticationsupported="true"/>

1 reply

In the Liberty profile, you can use the keytool in the JDK (also ikeyman in IBM JDK) to import the signer certificates. You can retrieve the signers from the port using the WAS admin console or in some cases using the browser (save the cert when the browser prompts you to trust the signer certificate).